gitlab-org--gitlab-foss/app/controllers/application_controller.rb

class ApplicationController < ActionController::Base
  before_filter :authenticate_user!
  before_filter :reject_blocked!
  before_filter :set_current_user_for_observers
  before_filter :add_abilities
  before_filter :dev_tools if Rails.env == 'development'
  before_filter :default_headers
  before_filter :add_gon_variables

  protect_from_forgery

  helper_method :abilities, :can?

  rescue_from Encoding::CompatibilityError do |exception|
    log_exception(exception)
    render "errors/encoding", layout: "errors", status: 500
  end

  rescue_from ActiveRecord::RecordNotFound do |exception|
    log_exception(exception)
    render "errors/not_found", layout: "errors", status: 404
  end

  protected

  def log_exception(exception)
    application_trace = ActionDispatch::ExceptionWrapper.new(env, exception).application_trace
    application_trace.map!{ |t| "  #{t}\n" }
    logger.error "\n#{exception.class.name} (#{exception.message}):\n#{application_trace.join}"
  end

  def reject_blocked!
    if current_user && current_user.blocked?
      sign_out current_user
      flash[:alert] = "Your account is blocked. Retry when an admin has unblocked it."
      redirect_to new_user_session_path
    end
  end

  def after_sign_in_path_for resource
    if resource.is_a?(User) && resource.respond_to?(:blocked?) && resource.blocked?
      sign_out resource
      flash[:alert] = "Your account is blocked. Retry when an admin has unblocked it."
      new_user_session_path
    else
      super
    end
  end

  def set_current_user_for_observers
    MergeRequestObserver.current_user = current_user
    IssueObserver.current_user = current_user
  end

  def abilities
    @abilities ||= Six.new
  end

  def can?(object, action, subject)
    abilities.allowed?(object, action, subject)
  end

  def project
    id = params[:project_id] || params[:id]

    @project = Project.find_with_namespace(id)

    if @project and can?(current_user, :read_project, @project)
      @project
    else
      @project = nil
      render_404 and return
    end
  end

  def repository
    @repository ||= project.repository
  rescue Grit::NoSuchPathError
    nil
  end

  def add_abilities
    abilities << Ability
  end

  def authorize_project!(action)
    return access_denied! unless can?(current_user, action, project)
  end

  def authorize_code_access!
    return access_denied! unless can?(current_user, :download_code, project) or project.public?
  end

  def authorize_create_team!
    return access_denied! unless can?(current_user, :create_team, nil)
  end

  def authorize_manage_user_team!
    return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team)
  end

  def authorize_admin_user_team!
    return access_denied! unless user_team.present? && can?(current_user, :admin_user_team, user_team)
  end

  def access_denied!
    render "errors/access_denied", layout: "errors", status: 404
  end

  def not_found!
    render "errors/not_found", layout: "errors", status: 404
  end

  def git_not_found!
    render "errors/git_not_found", layout: "errors", status: 404
  end

  def method_missing(method_sym, *arguments, &block)
    if method_sym.to_s =~ /^authorize_(.*)!$/
      authorize_project!($1.to_sym)
    else
      super
    end
  end

  def render_404
    render file: Rails.root.join("public", "404"), layout: false, status: "404"
  end

  def render_403
    render file: Rails.root.join("public", "403"), layout: false, status: "403"
  end

  def require_non_empty_project
    redirect_to @project if @project.empty_repo?
  end

  def no_cache_headers
    response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
    response.headers["Pragma"] = "no-cache"
    response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
  end

  def dev_tools
    Rack::MiniProfiler.authorize_request
  end

  def default_headers
    headers['X-Frame-Options'] = 'DENY'
    headers['X-XSS-Protection'] = '1; mode=block'
  end

  def add_gon_variables
    gon.default_issues_tracker = Project.issues_tracker.default_value
    gon.api_version = API::API.version
    gon.api_token = current_user.private_token if current_user
    gon.gravatar_url = request.ssl? || Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
    gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
  end
end
init commit 2011-10-08 17:36:38 -04:00			`class ApplicationController < ActionController::Base`
			`before_filter :authenticate_user!`
User blocking improved. Admin area styled 2012-04-16 16:33:03 -04:00			`before_filter :reject_blocked!`
Fix IssueObserver current_user assign. Refactored observers 2012-06-24 03:01:42 -04:00			`before_filter :set_current_user_for_observers`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`before_filter :add_abilities`
Rack mini profiler for dev env 2012-08-02 02:48:24 -04:00			`before_filter :dev_tools if Rails.env == 'development'`
Dont allow gitlab be loaded in iframe 2013-02-02 13:32:13 -05:00			`before_filter :default_headers`
Default issue tracker name added to gon variables 2013-02-19 07:37:43 -05:00			`before_filter :add_gon_variables`
Fix IssueObserver current_user assign. Refactored observers 2012-06-24 03:01:42 -04:00
init commit 2011-10-08 17:36:38 -04:00			`protect_from_forgery`
Fix IssueObserver current_user assign. Refactored observers 2012-06-24 03:01:42 -04:00
init commit 2011-10-08 17:36:38 -04:00			`helper_method :abilities, :can?`

Rescue encoding error on controller level 2012-05-31 16:36:52 -04:00			`rescue_from Encoding::CompatibilityError do \|exception\|`
Log caught exceptions 2012-11-06 15:15:25 -05:00			`log_exception(exception)`
layout selected by controller name 2012-09-26 16:24:52 -04:00			`render "errors/encoding", layout: "errors", status: 500`
Rescue encoding error on controller level 2012-05-31 16:36:52 -04:00			`end`

better error handling for not found resource, gitolite error 2012-02-22 00:14:54 -05:00			`rescue_from ActiveRecord::RecordNotFound do \|exception\|`
Log caught exceptions 2012-11-06 15:15:25 -05:00			`log_exception(exception)`
layout selected by controller name 2012-09-26 16:24:52 -04:00			`render "errors/not_found", layout: "errors", status: 404`
gitosis error handle 2011-10-09 17:15:28 -04:00			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 09:46:25 -04:00			`protected`
init commit 2011-10-08 17:36:38 -04:00
Log caught exceptions 2012-11-06 15:15:25 -05:00			`def log_exception(exception)`
			`application_trace = ActionDispatch::ExceptionWrapper.new(env, exception).application_trace`
			`application_trace.map!{ \|t\| " #{t}\n" }`
			`logger.error "\n#{exception.class.name} (#{exception.message}):\n#{application_trace.join}"`
			`end`

User blocking improved. Admin area styled 2012-04-16 16:33:03 -04:00			`def reject_blocked!`
User's blocked field refactored to use state machine 2013-03-04 09:52:30 -05:00			`if current_user && current_user.blocked?`
allow login via private token only for atom feeds 2012-06-01 09:56:28 -04:00			`sign_out current_user`
Grammar fix in error message for blocked login (in "application_controller.rb") 2013-05-28 13:48:51 -04:00			`flash[:alert] = "Your account is blocked. Retry when an admin has unblocked it."`
User blocking improved. Admin area styled 2012-04-16 16:33:03 -04:00			`redirect_to new_user_session_path`
			`end`
			`end`

Ability to block user 2012-04-13 01:12:34 -04:00			`def after_sign_in_path_for resource`
User's blocked field refactored to use state machine 2013-03-04 09:52:30 -05:00			`if resource.is_a?(User) && resource.respond_to?(:blocked?) && resource.blocked?`
Ability to block user 2012-04-13 01:12:34 -04:00			`sign_out resource`
Grammar fix in error message for blocked login (in "application_controller.rb") 2013-05-28 13:48:51 -04:00			`flash[:alert] = "Your account is blocked. Retry when an admin has unblocked it."`
Ability to block user 2012-04-13 01:12:34 -04:00			`new_user_session_path`
			`else`
			`super`
			`end`
			`end`

Fix IssueObserver current_user assign. Refactored observers 2012-06-24 03:01:42 -04:00			`def set_current_user_for_observers`
Separate observing of Note and MergeRequests * Move is_assigned? and is_being_xx? methods to IssueCommonality This is behavior merge requests have in common with issues. Moved methods to IssueCommonality role. Put specs directly into merge_request_spec because setup differs for issues and MRs specifically in the "closed" factory to use. * Add MergeRequestObserver. Parallels IssueObserver in almost every way. Ripe for refactoring. * Rename MailerObserver to NoteObserver With merge request observing moved out of MailerObserver, all that was left was Note logic. Renamed to NoteObserver, added tests and updated application config for new observer names. Refactored NoteObserver to use the note's author and not rely on current_user. * Set current_user for MergeRequestObserver IssueObserver and MergeRequestObserver are the only observers that need a reference to the current_user that they cannot look up on the objects they are observing. 2012-10-09 18:25:29 -04:00			`MergeRequestObserver.current_user = current_user`
Fix IssueObserver current_user assign. Refactored observers 2012-06-24 03:01:42 -04:00			`IssueObserver.current_user = current_user`
			`end`

init commit 2011-10-08 17:36:38 -04:00			`def abilities`
			`@abilities \|\|= Six.new`
			`end`

			`def can?(object, action, subject)`
			`abilities.allowed?(object, action, subject)`
			`end`

clean-up code * Remove trailing whitespace * Converts hard-tabs into two-space soft-tabs * Remove consecutive blank lines 2011-10-26 09:46:25 -04:00			`def project`
Improve routing. Project access via namespace 2012-11-22 15:34:06 -05:00			`id = params[:project_id] \|\| params[:id]`

Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`@project = Project.find_with_namespace(id)`

			`if @project and can?(current_user, :read_project, @project)`
			`@project`
			`else`
			`@project = nil`
Rename repo feature 2013-05-24 17:07:19 -04:00			`render_404 and return`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`end`
init commit 2011-10-08 17:36:38 -04:00			`end`

REpostiry, Team models 2013-01-03 14:09:18 -05:00			`def repository`
			`@repository \|\|= project.repository`
			`rescue Grit::NoSuchPathError`
			`nil`
			`end`

Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def add_abilities`
init commit 2011-10-08 17:36:38 -04:00			`abilities << Ability`
			`end`

			`def authorize_project!(action)`
better error handling for not found resource, gitolite error 2012-02-22 00:14:54 -05:00			`return access_denied! unless can?(current_user, action, project)`
security improved 2011-10-17 06:39:03 -04:00			`end`

Abilities extended. Resources security improved 2012-02-21 17:31:18 -05:00			`def authorize_code_access!`
Internally public projects Public projects listed in the public section will be linked to the actual project's page. Public projects now give any user Guest permissions to the project, allowing them to download the code, read and create issues, and view anything else in the project's pages. Ample access tests have been added to the project_access_spec to verify correct permissions and behavior on public projects. - Visitors to the site who are not logged in still cannot view the project's pages. - Logged-in users visiting a public project where they are not a team member can create issues, but not snippets. They can view the projects code, issues, merge requests, etc, just as if they were a Guest member of the project. - Since this is a public project, the user is also granted :download_code permissions, a permission normally reserved for Reporters, since they can clone the repo anyways and browse commits and branches locally. 2013-05-02 02:52:05 -04:00			`return access_denied! unless can?(current_user, :download_code, project) or project.public?`
Abilities extended. Resources security improved 2012-02-21 17:31:18 -05:00			`end`

Fix mass-assignment. Dont allow users w/o access to create team 2013-01-25 08:42:41 -05:00			`def authorize_create_team!`
			`return access_denied! unless can?(current_user, :create_team, nil)`
			`end`

update all teams code. refactoring and some corrections 2013-01-22 17:20:27 -05:00			`def authorize_manage_user_team!`
			`return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team)`
			`end`

			`def authorize_admin_user_team!`
			`return access_denied! unless user_team.present? && can?(current_user, :admin_user_team, user_team)`
			`end`

security improved 2011-10-17 06:39:03 -04:00			`def access_denied!`
layout selected by controller name 2012-09-26 16:24:52 -04:00			`render "errors/access_denied", layout: "errors", status: 404`
better error handling for not found resource, gitolite error 2012-02-22 00:14:54 -05:00			`end`

			`def not_found!`
layout selected by controller name 2012-09-26 16:24:52 -04:00			`render "errors/not_found", layout: "errors", status: 404`
better error handling for not found resource, gitolite error 2012-02-22 00:14:54 -05:00			`end`

			`def git_not_found!`
layout selected by controller name 2012-09-26 16:24:52 -04:00			`render "errors/git_not_found", layout: "errors", status: 404`
init commit 2011-10-08 17:36:38 -04:00			`end`

			`def method_missing(method_sym, *arguments, &block)`
			`if method_sym.to_s =~ /^authorize_(.*)!$/`
			`authorize_project!($1.to_sym)`
			`else`
			`super`
			`end`
			`end`
branch/tag memorization 2011-10-14 11:08:25 -04:00
refactoring + remove unnecessary feature 2011-10-14 12:30:31 -04:00			`def render_404`
Use Rails.root.join where appropriate 2012-09-26 14:52:01 -04:00			`render file: Rails.root.join("public", "404"), layout: false, status: "404"`
branch/tag memorization 2011-10-14 11:08:25 -04:00			`end`
issue #124 2011-10-15 11:51:58 -04:00
Only owner can remove project 2012-12-04 22:14:05 -05:00			`def render_403`
			`render file: Rails.root.join("public", "403"), layout: false, status: "403"`
			`end`

issue #124 2011-10-15 11:51:58 -04:00			`def require_non_empty_project`
Add "empty_repo?" method to Repository role Replaces two calls that this method simplifies 2012-09-04 11:37:38 -04:00			`redirect_to @project if @project.empty_repo?`
issue #124 2011-10-15 11:51:58 -04:00			`end`
fixed/fluid layout switch 2011-11-03 18:37:02 -04:00
decorators & tree model 2011-11-20 15:32:12 -05:00			`def no_cache_headers`
			`response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"`
			`response.headers["Pragma"] = "no-cache"`
			`response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"`
			`end`
Bootstrap: Issues restyled 2012-01-27 18:49:14 -05:00
Rack mini profiler for dev env 2012-08-02 02:48:24 -04:00			`def dev_tools`
			`Rack::MiniProfiler.authorize_request`
			`end`
update all teams code. refactoring and some corrections 2013-01-22 17:20:27 -05:00
Dont allow gitlab be loaded in iframe 2013-02-02 13:32:13 -05:00			`def default_headers`
			`headers['X-Frame-Options'] = 'DENY'`
			`headers['X-XSS-Protection'] = '1; mode=block'`
			`end`
Default issue tracker name added to gon variables 2013-02-19 07:37:43 -05:00
			`def add_gon_variables`
			`gon.default_issues_tracker = Project.issues_tracker.default_value`
Refactor API classes. So api classes like Gitlab::Issues become API::Issues 2013-05-14 08:33:31 -04:00			`gon.api_version = API::API.version`
Finish select2-ajax for users. Added Select2Helper for tests 2013-03-14 04:16:27 -04:00			`gon.api_token = current_user.private_token if current_user`
enforce secure gravatar urls when Gitlab.config.gitlab.https is set 2013-05-31 04:30:21 -04:00			`gon.gravatar_url = request.ssl? \|\| Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url`
[BUGFIX] User suggest at team_members/new not working with relative_url_root * Closing #3540 * Closing #3704 2013-04-24 03:31:36 -04:00			`gon.relative_url_root = Gitlab.config.gitlab.relative_url_root`
Default issue tracker name added to gon variables 2013-02-19 07:37:43 -05:00			`end`
init commit 2011-10-08 17:36:38 -04:00			`end`